ISO 27001 Statement of Applicability: A simple step-by-step guide

The Statement of Applicability (SoA) is a critical document in achieving your ISO 27001 certification. It is one of the first things auditors examine during an ISO 27001 audit. It's their roadmap to understanding which controls you've implemented, why certain ones don't apply, and how everything fits together. 

A well-structured SoA guides auditors efficiently through your control landscape. A messy or incomplete one turns your audit into a discovery exercise nobody wants.

In this guide, we'll show you a straightforward process for creating and maintaining your ISO 27001 Statement of Applicability.

What is the Statement of Applicability?

The Statement of Applicability (SoA) is a mandatory document required by clause 6.1.3 d of ISO 27001:2022 that serves as your organization's master control inventory. It acts as the master document about the state of all 93 controls in Annex A of ISO 27001:2022. 

For every single control, you need to clearly state whether it's applicable to your organization, provide solid justification for including or excluding it, and explain exactly how you've implemented it if you've chosen to use it.

But ISO doesn’t force you to implement all 93 controls. You only need to justify why you’re including or excluding each one based on your business needs and risk assessment.

Mandatory requirements for SoA:

• Must be formally documented (no informal notes or spreadsheets)
• Requires explicit management approval to demonstrate organizational commitment
• Must systematically cover all 93 Annex A controls without exception
• Should be maintained under proper version control
• Must be updated whenever your risk environment or business context changes

Why is the Statement of Applicability vital for ISO 27001

Your SoA is beyond a simple checklist. It maps out which of the 93 Annex A controls you're implementing, how you're doing it, and why certain controls don't make sense for your organization. It explains why each control matters for your specific environment and confirms whether implementation is complete.

1. Link risks directly to controls

Without a clear connection between identified risks and chosen controls, you risk implementing measures that don’t address your real threats, or overlooking gaps altogether. The SoA prompts you to document exactly how each control mitigates specific risks, ensuring your risk treatment plan stays laser‑focused on what truly matters.

2. Accelerate and simplify audits

Auditors need to verify dozens of controls quickly. A well‑structured SoA serves as a one‑stop reference that shows which controls you’ve implemented (and why), cutting down on audit back‑and‑forth, reducing surprises, and speeding up certification or surveillance reviews.

3. Prove compliance with confidence

Legal and contractual obligations can carry hefty fines or lost business if ignored. By capturing every externally driven control in your SoA—and explaining its justification— the document helps you pair evidence and implementation. This helps you prove to regulators, customers, and partners that you’ve met all your mandatory requirements, avoiding penalties and reputational damage.

4. Offer a snapshot of your security posture

Executives, board members, and non‑technical stakeholders need a concise view of your security posture. The SoA provides that high‑level summary—listing controls, statuses, and rationales—so leadership can grasp risks and investments at a glance, make informed decisions, and prioritize resources effectively.

5. Keep your ISMS agile and current

Information security isn’t static. New threats emerge, business processes evolve, and technology shifts. Treating the SoA as a living document—with scheduled reviews and updates—keeps your ISMS aligned to current realities, helps identify outdated or missing controls, and embeds a culture of ongoing enhancement.

6. Unify teams around security objectives

Security touches IT, legal, HR, operations, and more. The SoA creates a single source of truth for all departments, clarifying who owns what controls, and why. This shared reference breaks down silos, fosters accountability, and ensures everyone speaks the same language when it comes to risk management.

7. Strengthen stakeholder trust 

Customers, partners, and investors want to see that you take security seriously. A transparent, well‑documented SoA demonstrates due diligence, maturity, and commitment—transforming your certification from a checkbox exercise into a visible badge of trust that can win business and strengthen relationships.

How many controls are in ISO 27001: Understanding Annex A of ISO 27001

ISO 27001:2022 Annex A outlines 93 distinct security controls. While this is a significant drop from the 2013 version's 114 controls, the intent and scope of these controls has not reduced. When you treat risks (as mentioned in clause 6.1.3), you have to document the controls you chose from Annex A. Do note that you can select controls based on your company’s needs and it is not mandatory to implement all controls.

The controls fall into four main categories that build your Statement of Applicability:

1. Organizational controls

This largest category features 37 controls (numbered 5.1 to 5.37). These controls are the foundation of your information security framework. They include policies, procedures, and structural elements. Your organization's approach to data protection takes shape through these measures. The controls handle everything from security policies to management duties. These elements build the core of your security position.

2. People controls

Eight controls (numbered 6.1 to 6.8) make up this category that puts people first. These measures guide staff interactions with sensitive data. Security awareness training, screening processes, and employment terms are part of these controls. Remote work guidelines and confidentiality agreements play a vital role in today's scattered work setup.

3. Physical controls

Fourteen controls (numbered 7.1 to 7.14) protect your physical assets. They set up secure zones with proper entry limits and shield against environmental risks. The controls defend your information processing facilities from unauthorized access, damage, and interference.

4. Technological controls

Thirty-four controls (numbered 8.1 to 8.34) focus on digital security. They cover areas like network security, encryption, malware defense, data masking, and managing technical vulnerabilities. These controls are critical to your security strategy in today's digital business world.

Your ISO 27001 Statement of Applicability should include a review of all 93 controls based on your organization's needs and risk profile.

Creating the Statement of Applicability: A step-by-step blueprint

Creating an ISO 27001 Statement of Applicability (SoA) needs a well-laid-out approach that links risk assessment to security implementation. Here's a breakdown of the process into manageable steps to help you develop this document.

1. Understand ISO 27001 requirements and controls

You need to be familiar with ISO 27001 standards to begin your SoA work. Study the 93 controls in Annex A and ISO 27002, which give detailed implementation guidance. This foundation helps align your security measures with international standards, strengthening your overall protection against data breaches.. You'll need to identify which controls apply to your organization's specific context. These controls will then form the backbone of your SoA.

2. Conduct a risk assessment

Start by identifying and cataloging all valuable assets—data, hardware, software, and processes. Next, assess the threats and vulnerabilities linked to these assets, and prioritize them based on likelihood and potential impact. This method enables you to tailor security measures to your organization's unique needs. The result is a security posture that’s both effective and resilient. 

3. Complete the risk treatment plan

The Risk Treatment Plan documents your response strategies after risk identification. This tactical document outlines the actions needed to address identified security risks. You must decide to avoid, accept, reduce, or transfer each risk. Ideally, your plan should list the security controls to be implemented, the responsible parties, implementation timelines, and resource needs. External auditors review this document closely during ISO 27001 certification audits.

4. Select the applicable controls

The next step is to determine which Annex A controls apply to your organization. Map each identified risk to the relevant controls selected through your risk treatment process. 

Document your rationale if you exclude any controls. Note that not all controls may match your security objectives. For example, why spend $50,000 on advanced DLP software to prevent a risk that might cost $5,000 annually. Risk acceptance also applies when the likelihood or impact is genuinely low. A small SaaS company with 10 employees probably doesn't require enterprise-grade physical security controls, such as biometric access systems and security guards. The threat exists, but it's not proportional to your business size or risk profile. 

A solid justification for exclusions shows careful assessment rather than oversight.

5. Finalize and approve the SoA

The last step is to compile your findings into the formal SoA document. ISO 27001 requires the implementation status (planned, in progress, or implemented) for each control. Get stakeholders from relevant departments to review, provide feedback, and refine the document. Management's formal approval demonstrates its commitment to your security framework and prepares you for the ISO 27001 certification process.

6. Review and update the SoA regularly

As per Clause 9.3 of ISO 27001, organizations review the SoA at least annually. However, organizations must review the SoA whenever big changes happen like new risks popping up, company restructuring, or after security incidents that show gaps in your defenses. 

To simplify, ensure your SoA still reflects reality and actually protects what matters most to your business.

Comparing the ISO 27001 SoA and other reporting documents 

While each document supports the certification process with a specific purpose, many organizations, especially newer ones, struggle to understand how these pieces fit together. Here's how these essential documents work together:

How Scrut helps you achieve ISO 27001 compliance

Scrut makes it easier for you to achieve and maintain ISO 27001 certification by providing a comprehensive, user-friendly platform built specifically for information security management. It helps you address all the standard’s requirements—including building and maintaining your SoA—while minimizing manual work and complexity. Here’s how: 

1. Simplified risk assessment

‍Scrut streamlines the process of identifying, assessing, and managing risks. With built-in templates and intuitive tools, you can easily document risks, evaluate their potential impact, and define mitigation strategies to stay aligned with ISO 27001’s risk management requirements.

2. Ready-to-use policy and document templates

‍You’ll gain access to a library of pre-built, customizable templates covering essential ISO 27001 policies, including information security, incident response, and access control. This saves you time and ensures your documentation is audit-ready from the start.

3. Centralized control management‍

Scrut maps your security controls directly to ISO 27001 clauses and Annex A controls, allowing you to implement, monitor, and manage them seamlessly. A centralized dashboard gives you real-time visibility into the effectiveness of your controls and your overall compliance status.

4. Automated evidence collection‍

By integrating with your existing tools and systems, Scrut automates the collection of evidence for your controls. This keeps you continuously audit-ready and takes the burden out of manual documentation.

5. Audit preparation and support

‍Scrut helps you stay ahead of audits by identifying gaps, tracking non-conformities, and ensuring all ISO 27001 requirements are fully addressed. It also provides a shared audit workspace where auditors can access all relevant artifacts, record findings or corrective actions, and tag internal stakeholders—all in real time—so every change and comment is logged and visible throughout the certification process.

6. Ongoing monitoring and reporting

‍With Scrut’s continuous monitoring capabilities, you can ensure your ISMS stays compliant over time. Easily generate detailed reports for management reviews, internal assessments, and external audits whenever needed.

By using Scrut, you not only simplify your ISO 27001 journey, but also strengthen the core of your ISMS with an always up-to-date ISO 27001 Statement of Applicability—reducing the time and resources needed for compliance, and enhancing your overall security posture.